Contact Info

(for those who care)

Instant Gratification   

Wed, 25 Jun 2008

Worst security questions ever (seriously)

My bank implemented new security questions last night. Here are the questions in their unedited glory (notations in brackets are for part two of the game).

Group One

Group Two

Group Three

If you’re playing along at home, how many of these questions (of the 21) are “good”? Blah blah blah, determined adversary, but COME ON! This is ridiculous. Schneier is getting an email about this one and maybe he can put a boot to their security officer’s coffee cup and wake him/her up.

Now, for the analysis.

Vulnerable to public records (first degree): A,C,G,H,P,T
Vulnerable to public records (second degree): F,J,K,M,Q,R
Vulnerable to close friends: A,C,G,I,N,T
Vulnerable to resume: A,B,G,H,O
Vulnerable to guessing*: H,I,N,L,S
Not particularly vulnerable: E,L,S

*Vulnerable to Guessing

Now in my bank’s defense, some of these negatives could be considered positives. Relying on publicly provable information for a variety of these things means that a person can’t really forget (for example) “In what city was your father born?” And many of the questions don’t have a clear answer, but instead an easy probable 5-20% chance of guessing it correctly per guess.

This wouldn’t be such a problem if there were so few non-public questions, and if they didn’t introduce an entirely new class of vulnerability to security questions by allowing “resume attacks”.

A resume generally has dates and locations. Depending on how old you are, your resume tells where you went to high school, when you graduated, what your first job was, approximately how old you might be. Really quite terrible from the perspective of keeping on top of the security questions.

Something interesting about resumes is that they are a double-edged sword. On one hand you want the widest distribution possible (self-promotion / advertising). On the other hand, you have to disclose a fair amount of information in order to permit people to contact you. My resume has been online for at least as long as this blog, and I’ve always run it as a similar thing to my traditional resume (includes address, phone number, email). Maybe it’s time now to put in “contact me at” and slap up a form.

10:05 CST | category / entries
permanent link | comments?

Like what you just read? Subscribe to a syndicated feed of my weblog, brought to you by the wonders of RSS.

Thanks for Visiting!